Installing Fail2ban with Ansible on Ubuntu 18.04 (Bionic Beaver)

in linux •  7 years ago  (edited)

Fail2ban Logo with Ansible Logo

Preamble

This is a very short post covering a rudimentary Ansible playbook (if you can even call it one) that contains tasks for installing Fail2ban in a straightforward manner. It's intended as a follow on from the manual set of instructions/commands most people are familiar with, which I covered in this other post:

Installing Fail2ban on Ubuntu 18.04 (Bionic Beaver)

At the end I'm linking to a third and final post which goes into detail on a more extensive solution to installing Fail2ban, as part of an Ansible provisioning project. It uses an Ansible role rather than a standalone playbook.

Installing Fail2ban with Ansible

This is probably the most simple and obvious solution outside of manually installing. It exists in the form of a single playbook and template file.

Somewhere suitable (e.g. in version control) create the main playbook file.

$ vim fail2ban-playbook.yml

Enter in the following playbook contents:

--- 
- name: installs fail2ban on ansible hosts
  hosts: fail2ban-hosts
  become: yes
  tasks:
  
  - name: install apt fail2ban packages
    apt: 
      name: "{{ item }}"   
      state: latest
      update_cache: yes
      cache_valid_time: 3600
    with_items:
      - fail2ban
      - sendmail
  
  - name: override the basic fail2ban configuration with .local file
    copy:
      src: jail.local.j2
      dest: /etc/fail2ban/jail.local
      owner: root
      group: root
      mode: 0644

Note: Here's the same contents as a Gist.

The first task updates the package manager cache (if it has not been updated within a set time period) and then installs the fail2ban plus sendmail packages.

The second copies across a local configuration file for Fail2ban, whilst giving it the necessary permissions and ownership's.

Next create the previously mentioned template file (locally still of course).

$ vim jail.local

Add in your own Fail2ban configuration settings; these are mine for example purposes, but can be used:

[DEFAULT]

# email address to receive notifications.
destemail = root@localhost    
# the email address from which to send emails.
sender = root@<fq-hostname>    
# name on the notification emails.
sendername = Fail2Ban    
# email transfer agent to use. 
mta = sendmail   

# see action.d/ufw.conf
actionban = ufw.conf
# see action.d/ufw.conf 
actionunban = ufw.conf   

[sshd]
enabled = true
port = ssh
filter = sshd
# the length of time between login attempts for maxretry. 
findtime = 600
# attempts from a single ip before a ban is imposed.
maxretry = 5
# the number of seconds that a host is banned for.
bantime = 3600

Note: Here's the same contents as a Gist.

These settings assume accompanied use of UFW as a firewall on the host - hence the actionban lines.

It would make sense to create a local Ansible config and local hosts file to keep everything contained to the current repo/directory.

$ vim ansible.cfg

Point Ansible commands to use a local hostfile named hosts.

[defaults]
hostfile = hosts

Create the local "hosts" file in turn.

$ vim hosts

The hosts file needs to then contain your target host's details, using Ansible YAML syntax such as:

[fail2ban-hosts]
host-one ansible_host=your.vps.ip.address ansible_python_interpreter=/usr/bin/python3
host-two ansible_host=your.vps.ip.address ansible_python_interpreter=/usr/bin/python3
host-three ansible_host=your.vps.ip.address ansible_python_interpreter=/usr/bin/python3
# Add more hosts here as needed.

Note: Currently Ansible uses Python 2.7 system libraries, and most Ubuntu images have Python 3.0+ installed. So this "interpreter" variable is usually necessary to access the correct libraries with Ansible.

Running the playbook on the remote host (or set of remote hosts) is then rather easy.

Make sure to include -K for the playbook's become: password. Substitution for your own username (scarlz in my case) is also necessary - the user must have sudo privileges.

$ ansible-playbook -u scarlz -K fail2ban-playbook.yml

These few steps are for all intents and purposes everything that's needed in a basic working install. For a less simplistic approach to installing Fail2ban, take a look at it again through the perspective of a more complex Ansible role instead:

Installing Fail2ban with an Ansible Role on Ubuntu 18.04 (Bionic Beaver)

This was very short and terse due to its simplicity, but thanks for reading.

More Information

Easily deploy an SSD cloud server on Digital Ocean in 55 seconds. Sign up using my link and receive $10.00 in free credit: https://www.digitalocean.com/?refcode=e91058dbfc7b

linux ansible fail2ban security ubuntu
7 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    2 votes
    1
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!
    Sort Order:  
  • Trending
    • [-]
      ·  7 years ago 

    Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
    https://www.tricksofthetrades.net/tags/Ansible/

    Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

    • Disagreement on rewards
    • Fraud or plagiarism
    • Hate speech or trolling
    • Miscategorized content or spam

    Submit
    $0.00